Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2024, 14:51
Static task
static1
Behavioral task
behavioral1
Sample
e33a087df867e08ef26ac3b2f81f2910_NEIKI.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
e33a087df867e08ef26ac3b2f81f2910_NEIKI.exe
Resource
win10v2004-20240226-en
General
-
Target
e33a087df867e08ef26ac3b2f81f2910_NEIKI.exe
-
Size
85KB
-
MD5
e33a087df867e08ef26ac3b2f81f2910
-
SHA1
9dbcb01012c385806af206e029a5348b2db55f8a
-
SHA256
7888c7dea7ba6e2b5d8ef53347c571d886f0a9d976f9f48ba934ac036c7291a6
-
SHA512
7afd0a9362e0f3fd3342e22d3f13decd5ed6309768a486e104ea41f6809e4f6fc925fdd3548db4b270419deb40b8b0ec437580ad9be23ee74bcc53aa51dce641
-
SSDEEP
768:4a4r+PpHfXGLOFCk6SLARI+WEkFfsEjUPIOuJI5R7xuMAnXMcMaJIWmS2zIzV9xl:sr+Fum5LMI+WTJjcsnXMcpm/zOxJXKJs
Malware Config
Signatures
-
Drops file in Drivers directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe e33a087df867e08ef26ac3b2f81f2910_NEIKI.exe File opened for modification C:\Windows\SysWOW64\drivers\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\drivers\Msvbvm60.dll winlogon.exe -
Manipulates Digital Signatures 1 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
description ioc Process File opened for modification C:\Windows\SysWOW64\wintrust.dll AE 0124 BE.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation e33a087df867e08ef26ac3b2f81f2910_NEIKI.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation AE 0124 BE.exe -
Executes dropped EXE 4 IoCs
pid Process 4148 winlogon.exe 3088 AE 0124 BE.exe 1052 winlogon.exe 1764 winlogon.exe -
Loads dropped DLL 3 IoCs
pid Process 3088 AE 0124 BE.exe 1052 winlogon.exe 1764 winlogon.exe -
Drops desktop.ini file(s) 24 IoCs
description ioc Process File opened for modification C:\Windows\Downloaded Program Files\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Fonts\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Media\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\Offline Web Pages\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini AE 0124 BE.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini AE 0124 BE.exe -
Drops autorun.inf file 1 TTPs 25 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\Autorun.inf winlogon.exe File opened for modification \??\M:\Autorun.inf winlogon.exe File opened for modification \??\J:\Autorun.inf winlogon.exe File opened for modification \??\T:\Autorun.inf winlogon.exe File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf AE 0124 BE.exe File opened for modification \??\K:\Autorun.inf winlogon.exe File opened for modification \??\P:\Autorun.inf winlogon.exe File opened for modification \??\Q:\Autorun.inf winlogon.exe File opened for modification D:\Autorun.inf winlogon.exe File opened for modification \??\E:\Autorun.inf winlogon.exe File opened for modification \??\I:\Autorun.inf winlogon.exe File opened for modification \??\S:\Autorun.inf winlogon.exe File opened for modification \??\U:\Autorun.inf winlogon.exe File opened for modification \??\L:\Autorun.inf winlogon.exe File opened for modification \??\R:\Autorun.inf winlogon.exe File opened for modification \??\V:\Autorun.inf winlogon.exe File opened for modification \??\Y:\Autorun.inf winlogon.exe File opened for modification \??\Z:\Autorun.inf winlogon.exe File opened for modification \??\G:\Autorun.inf winlogon.exe File opened for modification \??\N:\Autorun.inf winlogon.exe File opened for modification \??\O:\Autorun.inf winlogon.exe File opened for modification C:\Autorun.inf winlogon.exe File opened for modification \??\H:\Autorun.inf winlogon.exe File opened for modification \??\W:\Autorun.inf winlogon.exe File opened for modification \??\X:\Autorun.inf winlogon.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Storprop.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\SyncHost.exe AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\KBDKOR.DLL AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\odbcbcp.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\dmloader.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\mfc140kor.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\windows.storage.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\SystemEventsBrokerClient.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\wtsapi32.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\inetcpl.cpl AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\mprapi.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\Utilman.exe AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\gamemode.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ktmutil.exe AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\mfmkvsrcsnk.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\sppcext.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\w32tm.exe AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\Windows.ApplicationModel.Store.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\systray.exe AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\PayloadRestrictions.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\msexcl40.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\PackagedCWALauncher.exe AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\wcmapi.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\zh-CN AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\adsldp.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\KBDNEPR.DLL AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\linkinfo.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\onexui.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\OpcServices.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\sdbinst.exe AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\vidcap.ax AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\wscinterop.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\BackgroundMediaPolicy.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\EnterpriseAppMgmtClient.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\mfc110rus.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WebcamUi.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\Windows.Networking.ServiceDiscovery.Dnssd.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\netjoin.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\Printing_Admin_Scripts AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WindowsCodecs.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\DiskIo-QoS-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\appmgr.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\fsutil.exe AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\SensorsNativeApi.V2.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\WSManMigrationPlugin.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\scrrun.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\el-GR AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\iyuv_32.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\ClipboardServer.dll AE 0124 BE.exe File opened for modification C:\Windows\System32\LogFiles AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\shlwapi.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\mscories.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\useractivitybroker.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\Windows.UI.XamlHost.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\FrameServerClient.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\oleaut32.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\rastls.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\mlang.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\whhelper.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\dimsjob.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\Windows.ApplicationModel.Core.dll AE 0124 BE.exe File opened for modification C:\Windows\SysWOW64\Windows.UI.dll AE 0124 BE.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\diagnostics\system\Audio\AudioDiagnosticUtil.dll AE 0124 BE.exe File opened for modification C:\Windows\Logs\MoSetup\UpdateAgent.log AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Duplex AE 0124 BE.exe File opened for modification C:\Windows\PolicyDefinitions\de-DE\SoundRec.adml AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\HyperV-Compute-Host-Containers-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.867.mum AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.mum AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientTools-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1266.mum AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Printing-LPRPortMonitor-Opt-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.mum AE 0124 BE.exe File opened for modification C:\Windows\diagnostics\system\IEBrowseWeb\uk-UA AE 0124 BE.exe File opened for modification C:\Windows\diagnostics\system\Power\en-US\Power_Troubleshooter.psd1 AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallWebEventSqlProvider.sql AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-EditionSpecific-Professional-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-FodMetadata-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64 AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.Http.WebRequest.resources\v4.0_4.0.0.0_ja_b03f5f7f11d50a3a AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\System.Reflection.Context.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\INF\c_swcomponent.inf AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\System.WorkflowServices.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\diagnostics\system\IEBrowseWeb\en-US\RS_DisableAddonLoadingTime.psd1 AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\Aspnet.config AE 0124 BE.exe File opened for modification C:\Windows\INF\mdmpn1.inf AE 0124 BE.exe File opened for modification C:\Windows\appcompat\encapsulation AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089 AE 0124 BE.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\Rsat.BitLocker.Recovery.Tools~~1.0.mum AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\HyperV-UX-Common-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.mum AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\HyperV-UX-Common-Package~31bf3856ad364e35~amd64~~10.0.19041.1.mum AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Media-Foundation-WOW64-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Legacy-Components-OC-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.mum AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes.resources\v4.0_4.0.0.0_fr_31bf3856ad364e35 AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-PowerShell-ISE-FOD-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.mum AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\System.Workflow.Activities.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\Microsoft.Build.Engine.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-AppServerClient-OptGroup-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Client-Features-Package0011~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.mum AE 0124 BE.exe File opened for modification C:\Windows\PolicyDefinitions\CredSsp.admx AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ConfigCI.Commands\v4.0_10.0.0.0__31bf3856ad364e35\AllowAll.xml AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Spelling-Dictionaries-en-us-Package~31bf3856ad364e35~amd64~~10.0.19041.1.mum AE 0124 BE.exe File opened for modification C:\Windows\Fonts\smallet.fon AE 0124 BE.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CORPCHAR.TXT2 AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\HyperV-Storage-VirtualDevice-FibreChannel-Package~31bf3856ad364e35~amd64~~10.0.19041.1110.mum AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\napinit.resources AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Caching\v4.0_4.0.0.0__b03f5f7f11d50a3a AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationClientsideProviders.resources\v4.0_4.0.0.0_fr_31bf3856ad364e35\UIAutomationClientsideProviders.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-OneCore-Multimedia-CastingTransmitter-Media-Package~31bf3856ad364e35~amd64~~10.0.19041.153.mum AE 0124 BE.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.ComponentModel.DataAnnotations.Resources AE 0124 BE.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\99A1417CB29562244A9E7B761C0DBFFA AE 0124 BE.exe File opened for modification C:\Windows\PolicyDefinitions\ja-JP\Msi-FileRecovery.adml AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\HyperV-IntegrationComponents-VirtualDevice-Core-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.mum AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-AppServerClient-OptGroup-merged-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.mum AE 0124 BE.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\SrpUxSnapIn\f615f628433cab34a98f99334931a2a3 AE 0124 BE.exe File opened for modification C:\Windows\Boot\EFI\pt-PT\memtest.efi.mui AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\it-IT\ServiceModelEvents.dll.mui AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\HyperV-RDP4VS-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Client-Desktop-Required-Package0110~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-DirectoryServices-ADAM-Core-Client-Opt-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.mum AE 0124 BE.exe File opened for modification C:\Windows\servicing\Version\10.0.19041.1220 AE 0124 BE.exe File opened for modification C:\Windows\Boot\PCAT\uk-UA\bootmgr.exe.mui AE 0124 BE.exe File opened for modification C:\Windows\ImmersiveControlPanel\Settings AE 0124 BE.exe File opened for modification C:\Windows\servicing\Packages\HyperV-RDP4VS-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.mum AE 0124 BE.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Services.resources\v4.0_4.0.0.0_ja_b77a5c561934e089\System.Data.Services.resources.dll AE 0124 BE.exe File opened for modification C:\Windows\PolicyDefinitions\Msi-FileRecovery.admx AE 0124 BE.exe File opened for modification C:\Windows\servicing\InboxFodMetadataCache\metadata\Language.Basic~nb-no~1.0.mum AE 0124 BE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ e33a087df867e08ef26ac3b2f81f2910_NEIKI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ AE 0124 BE.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Windows\AE 0124 BE.C:\WINDOWS\Installer\SourceHash{CE7E4A6A-45A2-2968-4B34-D0D4CFCC0E1D} e33a087df867e08ef26ac3b2f81f2910_NEIKI.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1616 e33a087df867e08ef26ac3b2f81f2910_NEIKI.exe 4148 winlogon.exe 3088 AE 0124 BE.exe 1052 winlogon.exe 1764 winlogon.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1616 wrote to memory of 4148 1616 e33a087df867e08ef26ac3b2f81f2910_NEIKI.exe 91 PID 1616 wrote to memory of 4148 1616 e33a087df867e08ef26ac3b2f81f2910_NEIKI.exe 91 PID 1616 wrote to memory of 4148 1616 e33a087df867e08ef26ac3b2f81f2910_NEIKI.exe 91 PID 4148 wrote to memory of 3088 4148 winlogon.exe 92 PID 4148 wrote to memory of 3088 4148 winlogon.exe 92 PID 4148 wrote to memory of 3088 4148 winlogon.exe 92 PID 4148 wrote to memory of 1052 4148 winlogon.exe 93 PID 4148 wrote to memory of 1052 4148 winlogon.exe 93 PID 4148 wrote to memory of 1052 4148 winlogon.exe 93 PID 3088 wrote to memory of 1764 3088 AE 0124 BE.exe 94 PID 3088 wrote to memory of 1764 3088 AE 0124 BE.exe 94 PID 3088 wrote to memory of 1764 3088 AE 0124 BE.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\e33a087df867e08ef26ac3b2f81f2910_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\e33a087df867e08ef26ac3b2f81f2910_NEIKI.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"2⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Drops autorun.inf file
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\AE 0124 BE.exe"C:\Windows\AE 0124 BE.exe"3⤵
- Manipulates Digital Signatures
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1764
-
-
-
C:\Windows\SysWOW64\drivers\winlogon.exe"C:\Windows\System32\drivers\winlogon.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1052
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3972 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:81⤵PID:3100
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
130KB
MD5b546cdcea3b9871b5c8c9fde3794896f
SHA1cb3dafe0b8e6c7231b2a81f363e52bf14d38d4e0
SHA256c09eba76d404a200d4db263c0cfb9ee5d5fa39cbc343842e974644d30f6e5bea
SHA512ed7ff7e41cb63ba0ac7e13901f223e81ba46e2d3553ded793825b08972ff42bfabf1c41a3e1ebec11252726344bb563a2f2e18eae253bd4b45201a6c8617b30b
-
Filesize
21B
MD59cceaa243c5d161e1ce41c7dad1903dd
SHA1e3da72675df53fffa781d4377d1d62116eafb35b
SHA256814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189
SHA512af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b